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Nicolas Seriot, Switzerland 




HES Software Engineer 




Cocoa developer and i Phone 

programming trainer at Sen.te 




Data-mining research assistant at Swiss University 
of Applied Sciences (HEIG-VD) since 2009 



• MAS in Economic crime investigation 



You said... Switzerland? 
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iPhone Catch Up 




iPhone 



• 34 millions devices worldwide 




Apple's App Store 




40,000 applications, 3 billion downloads 




Jailbreak 




non-official firm wares, will also run unsigned 
code, often installed with sshd 
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Root Exploits 




libtiff- July 2007 




Multiple buffer overflows byTavis 
Ormandy, exploited by Rik Farrow 




Patched in iPhone OS 1 . 1 .2 



• SMS fuzzing -July 2009 




Demonstrated at Black Hat USA 2009 by 
Charlie Miller and Collin Mulliner 




Patched in iPhone OS 3.0. 



Root Exploits 



TUESDAY, FEBRUARY 02, 2010 



i Phone OS and Mac OS X Stack Buffer Overflow 



My second security advisory in 2010 (TKADV2D10-002) describes the details of a stack buffer overflow I found in CoreAudio of 
Apple's i Phone OS and Mac OS X. The bug can be triggered by playing a maliciously crafted mp4 audio file. Example attack vectors 
on the i Phone are MobileSafari and malicious ring tones. 



Crashdump details: 



cceaa : 
ath: 



medi as Erverd [17] 
/uar/ abin/me di as e rve r d 




loeption Type: EXC_BAD_AOCE3S (SiGSEGV) 

iGeption Code a : KEHN_INVALID_ADDHE33 at 0x41414140 



known thread crashed with ARM Thread State \. 



rO: 0x6474G13f 

r4: 0x41414141 

r8: 0x41414141 

ip: 0x00918000 

qpar: 0x50000030 



rl; 0x01390c40 

rS: 0x41414141 

r&j 0x00191494 

ap: OxOlSaOcOO 



r2; 

rfi : 

rlO: 

lr: 



OxSaOcSGlc 
0x41414141 
0x41414141 
0x3072d454 



r3: OxOOOOOlOd 

r7: 0x41414141 

rll: 0x41414141 

pc: 0x41414140 



POSTED BY TK AT 10:01 PM 



http://tk-blog.blogspotxom/20IO/02/iphone-os-and-mac-os-x-stack-buffer.html 



Analytics Frameworks 




PinchMedia 




Think Google Analytics for your app 




July 2009 - bloggers raise privacy concerns 




Users are not informed and can't opt-out 



Create your own 

Trusted Certificate! 




iPhones Vulnerable to New Remote Attack 



by Dennis Fisher 



•* Shane w Recommend (2) 
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Print 




E-mail 




There are several flaws in the way that the i Phone handles digital certificates which could lead to an 
attacker being able to |create his own trusted certificate | and entice users into downloading malicious files 

onto their iPhones. The attack is the end result of a number of different problems with the way that the 

i Phone handles over-the-air provisioning, trusted root certificates and configuration files. But the result of 
the attack is that a remote hacker may be able to change some settings on the iPhone and force all of 
the user's Web traffic to run through any server he chose and also to change the root certificate on the 
phone, enabling him to rnan-in-the-middle SSL traffic from the iPhone. 



http://threatpostxom/en_us/blogs/iphones-vulnerable-new-remote-attack-0202IO 



Storm 8 Lawsuit 



Backdoor in top iPhone games stole user data, suit claims 

Storm 8' s iSpy 

By Dan Goodin in San Francisco * Get more from this author 

Posted in Mobile, 6th November 2009 06:02 GMT 

A maker of some of the most popular games for the iPhone has been surreptitiously 
collecting users' cell numbers without their permission, according to a federal lawsuit f iled 
Wednesday. 

The complaint claims best-selling games made by StormS contained secret code that 
bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user 
information. The Redwood City, California, company, which claims its games have been 

has no need to collect the numbers. 




"Nonetheless, StormB makes use of 
the 'backdoor' method to access, 
collect, and transmit the wireless 
phone numbers of the iPhones on 
which its games are installed," states 
the complaint, which was filed in US 
District Court in Northern California. 
"StormS does so or has done so in 
all of its games," 

Messages left for StormS 
representatives weren't returned. 




http://www.theregisterxo.uk/2009/ 1 I /06/iphone games _storm8_lawsuit/ 



http://www.boingboing.net/lawsuits/Complaint_Storm_8_Nov_04_2009.pdf 



Pulled out from AppStore 




* 




Aurora Feint - July 2008 




Sent contact emails in clear 




20 million downloads 




MogoRoad - September 2009 




Sent phone number in clear 




Customers got commercial calls 



Both applications are back on AppStore after updating their privacy policy. 



2009-1 I Worms /Jailbreak 




Exploiting default root password on SSH 



Ikee - changes wallpaper to Rick Astley 




Dutch 5 € ransom - locks iPhone against a 

ransom (not refunded) 




I Phone/ Privacy. A - steals i Phone content, 
invisible, no replication 




Duh / Ikee.B - steals iPhone content, changes 
root password, Lithuanian botnet ( analysis ) 



This is what it looks like 
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insecure! Please viirt doiop.cofin/iHacked and 

secure your (Phone right now! 
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Ikee 



Dutch 5 € ransom 



Apple Gets Bad Press 



SOPHOS 




This further demonstrates that 
i Phones are not ready for the 

business environment. 



http://w\Aw.sophos.com/blogs/chetw/g/2009/ 11/21 /malicious-iphone-worm-loose/ 



IMHO, this is not more clever as claiming that 
Linux is not ready for business since you can 
exploit a weak default root password on SSH. 



Technical Context 



• Imagine a rogue breakout on AppStore 




iPhone OS version 3. 1 .3 



No jailbreak (no root access. 6-8 % iPhones ) 
No hardware attacks (don't lose your iPhone) 
Not calls to private APIs (there's no need to) 



No Facebook or Twitter profile data 



No root shells exploits 




Look for entry points, look for personal data 



Methodology 



Step 







Access 
personal data 




Cell Numbers 



NSDictionary 



* 



d 



[NSUserDefaults standardllserDefaults] ; 
NSString *phone = 

valueForKey:@"SBFormattedPhoneNumber"] ; 
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Mail, Contacts, Calendars 
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My Number 



079 999 99 99 > 



Calls 



Call Forwarding 



Call Waiting 



Show My Caller ID 



Change Voicemail Password 



SIM PIN 



SIM Applications 




Entered in iTunes 




Optional, you can 
safely change it 



Address Book API 




No "Me" record 




Unrestricted read/write access 




Tampering with data 




change * @ ubs . com into 
piratel23@gmail.com 




.■ill T- Mob Me 
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Cc/Bcc, From: nicolas@seriot.ch 



Subject: Confidential data 



xoxox 



File System Access 
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iPhone Sandboxing 




Restricts applications access to OS resources 




A list of deny/allow rules at kernel leve 




/usr/share/sandbox/SandboxTemplate . sb 




(version 1) 


; System is read only 


(deny default) 


(allow file-read*) 




(deny file-write*) 


; Sandbox violations get logged to syslog 




via kernel logging. 


; Private areas 


(debug deny) 


(deny file-write* 




(regex " A /private/var /mobile/ 


(allow sysctl-read) 


Applications/ .*$")) 




(deny file-read* 


; Mount / umount commands 


(regex " ^/private /var /mobile/ 


(deny f ile-write-mount f ile-write-umount ) 


Applications/ .*$")) 



Sandboxing for the Win? 




Applications on the device are "sandboxed" so they 

cannot access data stored by other applications 



In addition, system files, resources, and the kernel are 

shielded from the user's application space. 



Apple - iPhone in Business - Security Overview 

http://images.apple.com/iphone/business/docs/iPhone_Security_Overview.pdf 



This is not true, because rules are too loose 



Demo! 



Introducing SpyPhone 



This app shows the kind of data 
a rogue application can collect. 

No private APIs were used. 
This app does not phone home. 

© 2009 - http://seriot.ch 
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Email Report 
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Type: Exchange 



J—B. 



Host: webmaiLheig-vd.ch 



User: 



riot.ch 



Name: Nicolas Seriot 



Type: POP 



Host: pop. seriot. ch 
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079 999 99 98 



Nicolas Seriot 
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CID (SIM 



I num 




8941030911837 
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©yahoo.fr 
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Geotagged Photos Location 
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SpyPhone 




You can send a report containing 
SpyPhone personal data by email. 

You can choose the email address 

i 

You will see the report before you 
agree to send it. 




Contributions welcome! 




2000 lines + EXIF library 




GPL License 



Data Sources 



Email Report 




http://github.com/nst/spyphone 



Methodology 



Step 






App Store 





Put the application 
on the App Store. 




App Store and Malware 



We've built a store for the most part 

that people can trust. 




There have been applications submitted for 

approval that will steal personal data. 

- Phil Schiller,Apple senior VP 




http://www.businessweek.com/technology/content/nov2009/tc2009 1 1 20_354597.htm 



0,000 submissions per week 
0% of rejections related to malware 



iPhone SDK 
Standard Agreement 



• 5.4 - You may not make any public 

statements regarding this Agreement 




Applications must not collect users' personal 
information and must comply with local laws 




Base for spyware rejection 






Published byWikiLeaks and Wired. .f ^Vf£V} 




AppStore Reviews 



• Reviewers can be fooled 




Spyware activation can be delayed 



• Payloads can be encrypted 




• Many things can change at runtime 



Hiding the Beast 




Guesswork about AppStore review process 




Static analysis with $ strings 




Dynamic analysis with I/O Instruments 




Monitor file openings 




Check against black lists 




Strings Obfuscation 



- (NSString *)stringMinusl:(NSString *)s { 

NSMutableString *s2 = [NSMutableString string]; 
for(int i = 0; i < [s length]; i++) { 

unichar c = [s characterAtIndex:i] ; 

[s2 appendFormat:®'^" , c-1]; 

} 

return s2; 



} 



- (void)viewDidAppear :(B00L)animated { 
NSString *pathPlusl = 

©"QwbsQnpcjmfQMjcsbszQQsfgfsfodftQdpn/bqqmf/bddpvoutfuujoht/qmjtu"; 
// @ Vvar/mobile/Library/Pref erences/com . apple . accountsettings . plist " 
NSString *path = [self stringMinusl:pathPlusl] ; 

NSDictionary *d = [NSDictionary dictionaryWithContentsOfFile:path] ; 
// ... 

} 

This code would probably pass a static analysis 



Apple 



* 




GPS Kill Switch 



$ curl https : //iphone-services .apple.com/clbl/unauthorizedApps 



{ 



} 



"Date Generated" = "2010-01-03 05:02:36 Etc/GMT"; 
"BlackListedApps" = {}; 



Discovered by Jonathan Zdziarski in August 2008 



clbl stands for "Core Location Black List" 



Prevent applications from using Core Location 



Apple never acknowledged its existence publicly 



Apple never used it - SpyPhone doesn't care 



Methodology 



Step 










This is Real World 



A cftfts nerd's 

I (^ A3 1 NATION i 



His laptops ^ncrvpteo. 

Utrs 8U/LDA MiLLlOW-POUflR 
CUTTER TO CRACK IT 



no good! rrs 
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GOT IT. 



http://xkcd.com/538/ 



The Spammer 



• Write a little breakout game 





Make it available for free on AppStore 



• Collect user email addresses + 

weather cities + user's interests 

from Safari searches and keyboard cache 




Collect Address Book emails 




Send them with high scores 




The Luxury Products Thief 






Write an app for sports 
car or luxury watches 
collectors 




Report the name, phone, 
area and geotagged 
photos of healthy people 




When you can determine 
that someone is away 
from home, just rob him 



The Jealous Husband 



• Could also be named evil competitor or law 

enforcement officer 




Requirements: 5 minute physical access to the 
device, an Apple $99 developer license, a USB cable 




Install SpyPhone 
send the report 



9 




Delete the report from 
sent emails, delete 
SpyPhone 




http://www.flickr.com/photos/ 1 1 2 1 36 1 3@N05/4 1 47756 1 84/ 



VI Ps 





Francois Fillon, French Prime Minister, and 
Rachida Dati, former Justice French Minister 



< insert your attack scenario here > 



Methodology 





App Store 








So what? 



Security Through Obscurity 




Apple should not rely on 
security through obscurity 




It shouldn't claim that an 
application cannot access data 
from other applications 




It may have to review the 
iPhone S-SDLC 







f*^ Pi 



e>k*. 
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Keyboard, Firewall, ... 




Clearly, the Keyboard cache shouldn't be 
readable, it should be a system service instead 




Something like an applicative firewall should 

inform the user and let him prevent access 




A network firewall should also be available to let 
the user opt-out from the various analytics 
frameworks 



Address Book 




Users should be required to grant read-access 
to the Address Book, as for the GPS location 




Users should be prompted again if the 
application attempts to edit the Address Book 



• Risk: being overwhelmed with pop-ups 



Toward Apple approved 

Security Policies? 



Apple could ask developers to establish a security 
policy, stating what the application can do. 







o 


Application 








1 


Security Policy 


A 

Developer 






Application 



Security Policy 



Apple's Signature 



O 




User 



eg. read the AddressBook but not elsewhere on 
the file system, access the Internet but not the GPS 



Device Unique Identifiers 




The user should be prompted when an 

application attempts to access the UUID 




UUID may be used to link data gathered by 
different applications and frameworks 




Apple should introduce an app-device 
identifier, unique for (device, application) 1 




Name: nst09 

Capacity: 15.33 CB 

Serial Number: 8S922B9W3NP 

dentifier: 2atf5a4828234b4e601a742Bec428b30d9aa5eeea 




Software Version: 3.1.2 (7DLL) t Restore i Phone 



Xcoclc cannot find the software image to install this version 



Okay, but. . . 






th 
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Consumers 





Beware of the application 
they install 




Use common sense 



• Remove their cell 

number from Settings 




Reset keyboard and Safari 

caches regularly 



Professionals 




Assess risks correctly, especially 
if they are required by law to 

keep secrets. 




Medical staff, bankers, attorney, 
law enforcement officers... 



• Use Apple's program for 
enterprise deployment, 

which lets administrators define 
profiles that enforce restrictions 




Conclusion 




Assume that spyware are on the AppStore 

$ ecosystem doesn't help 



• Massive privacy breach might be just a 

matter of time, and nobody wants that 




Sandboxing / App Store reviews are necessary, 
they should be kept and improved 



• Risks must be known and fairly evaluated 



Recap 



You've seen iPhone main privacy issues 



You know which personal data are at risk 



You know how spyware access these data 



You've seen some potential attack scenarios 



hope you will use / deploy iPhones wisely 

Contact me: nicolas@seriot.ch , Twitter @nst02 



Time for Q&A 



Thank you! 



Private APIs 



Undocumented APIs 



Not allowed on the AppStore 



SpyPhone does not use private APIs 



Strings could be obfuscated or set remotely 



Even more data available for spywares 



NSString *path = @"/System/Library/PrivateFrameworks/Message. framework"; 
BOOL bundleLoaded = [[NSBundle bundleWithPathipath] load]; 



Class NetworkController = NSClassFromString(@"NetworkController"); 
NSString *IMEI = [[NetworkController sharedlnstance] IMEI]; 



Swiss Constitution 



Protection of 



Privacy 



Every 



person has the right to 
be protected against 
abuse of personal data 
(Art. 1 3 al. 2). 




Personal Data 




Personal data : all information relating to 
an identified or identifiable person. 



• Personality profile : permits an 

assessment of the essential characteristics 
of the personality of a natural person. 
Personality profiles are especially protected 
and strictly regulated. 



Laws for Spyware Authors 




May be jailed for 
up to three years 





May have to pay 

hefty fines 



• This is scarcely 
applied though 




License Agreements 



• End users are protected from over reaching 

End User License Agreements (EULAs). 




The EULA cannot simply state that you agree to 
send your personal data to bad guys if you do not 




There must be a real mutual agreement 

ruling out the use of potentially misleading terms. 



Laws for Technical Staff 




In case of damages, civil liability may 
apply to technical staff if the plaintiff can 

prove that an organization failed to protect 
confidential data properly. 




Liability could 
extend all the 
way to Apple 
itself. 




